Saturday, September 27, 2014

Public Computer Security Misperceptions Abound

Gmail Google Phishing Message

Generally, I try to avoid giving out unsolicited advice, but, sometimes, will reflexively do so, especially for a friend who I know encountered some kind of "Windows" security issue.

Well, a friend posted up a gmail message they had received with concern to make their circle of friends aware of.

It is of the email 'click-bait' variety.  They all work the same on legacy Windows (x86) from present 8.1 back to Windows 2000.  The commonality is that all versions share the same core WinNT design that Microsoft cannot change as it will 'break' Enterprise software badly.

No, it's more what I call "shooting fish in a barrel" or "taking candy from a baby".  The email sent to the unwary Windows user is 'socially engineered' to steer them to opening the email and/or attachment, either of which (on Windows) will spawn Javascript to download and inject DLL code and run all silently unbeknownst to the user -- until, of course, it's too late when suddenly a rogue fake security warning comes up or the dreaded CryptoLocker virus has just finished locking (encrypting hard drive) the user out of their system and very professionally offers up a screen of payment credit card options for making payment, which will unlock said PC.  CryptoLocker is becoming endemic.

So, my weak moment was to offer unsolicited advice to the poster of Drive-by threats inherent in the use of Windows.  This kind of advice was coupled to my 'standard' recommendation to the poster to consider switching to Linux which I have used since 2005.

I've been in the IT business for 20 years and ought to know something at this point in my life about issues regarding computer security, one would think.  Yet, despite offering up this kind of friendly advice, there is always the random respondent who turns up and shows his/her ignorance with great facile, I might add.  Here are their remarks:

"I hate this kind "commercial" attitude some people have. I dont like Linux. It may be the safest whatever OS and good for servers. But I don't like it. How can someone possibly even think Linux is safer when its open source for God's sake the only reason Linux is safe is  because is not as popular as windows yet. Maybe it might become that much popular and be used almost everywhere but as far as I'm concerned almost all companies and 90 % of the users worldwide are still on windows. That is why its the most vulnerable because if I was a criminal who would I attack?  A bigger area of effect obviously. 
How little people think nowadays really. Thank you for your kind offer but I'm not going to an open source program. Keep your eyes open for "these kind of threats" and alert others.
No operating system that is on the internet is safe. Not even Linux. Linux has one of the biggest issues if anything for being open source. If anything attacking the Linux website one day for example and their downloads and all other server connections they have would  compromise absolutely every single user and you do not need to be a computer tech to realize that. 
Thank you, but no. Have a wonderful day. :)"

Okay, instead of responding in my friends post, I chose to submit to her woeful ignorance and put things into perspective here point by point:

1) "I hate this kind "commercial" attitude some people have."

Commercial?  This was posted to a 'friend' for her benefit and so wasn't a commercial or if she meant an endeavor to profit, Linux is FREE.  It wasn't motivated by money.

2) "How can someone possibly even think Linux is safer when its open source for God's sake."

Huh?  The user presumably associates the word 'open' with some form of security vulnerability like 'leaving the door open'?  One of the cornerstones of Linux is its Gnu Public License for sharing the entire source code base and making changes to it freely.   Because of this, user of Linux enjoy true "Transparency", which means many eyes (more so than what Microsoft has in employee headcount), around the globe are looking at and vetting source code to ensure no rogue code insertion occurs.  Unlike Linux, Windows is proprietary and the end-user cannot see their source code, cannot copy it, and thus have NO idea whatsoever what the employees of legacy Windows did or did not do to the code base.  Being proprietary means effectively, Microsoft can write the operating system and applications however they wish, and, that includes code insertion of functionality like 'back doors'.

Yep, back doors exist in Windows for both Microsoft's use and for their partnering governmental agencies which wish to access your PC.  They come and go silently with impunity.  After you've thought about that for a minute, go find some black electric tape and place it over your Laptop's camera, mmmkay?

This doesn't even speak to the unfixed zero-day exploits present and hidden because Microsoft's code base is not viewable by anyone other than their privileged but shrinking staff of programmers most of whom didn't write the original code and might not have a clue as to how to go about changing it.  Those programmers left 5-10-15 years ago.  So, Zero-Day exploits are rampant, and, the hackers that have discovered them sell their exploits on the black market to people on the other side of the globe who want access to you, usually for money.

Microsoft code doesn't get continually refactored like Linux and vetted for safety.  It gets written and then forgotten.  Their maintainers will fix what they can if they can do so without breaking the system, but their resources are limited.

3) "Linux is safe is because is not as popular as windows yet."

Oh right.  The security by obscurity argument.  Alright let me explain the central security issue with Windows:

If an exploit (drive-by, email attachment same difference) on Windows is 'successful' in running, it will make its own SYSTEM call() to perform an 'Administrative' function.  It is at this point that Windows should stop to check on what that 'action' is and by what process id (parent) is making the call.  It doesn't.  Nope.  Once the exploit gets a toe hold, it proceeds to run administratively with no other cross-check security mechanism.  Got that?  Your PC is officially owned.

With Fedora Linux, you have what is called sandboxing technology.  SELinux, a Linux Security Module (LSM), binds to the kernel at bootstrap and maintains a 'hook' api in the SYSTEM kernel.  This 'hook' gets called on each granular system administrative process invoked on Linux.  SELinux (the Sandbox or Mandatory Access Control), cross-checks each discrete action against its policy group for the calling app  and if it isn't an allowed action, it on returning from the hook sends a 'deny' to the kernel.  The rogue code, exploit, is stopped cold.

It doesn't matter from whenst it came, the sandbox blocks it from getting a toe hold in Fedora Linux.

Windows Legacy users?  To you I say: Go with God.

Fedora Linux: The safest operating system on the Planet.
I stake my reputation on it.  -- Dietrich


Post a Comment